Popular Cable Modem Vulnerable to Remote Reboot Attack

Earlier this month, Security researcher David Longenecker announced that he’d discovered a flaw in the popular Arris Motorola SurfBoard SB6141. The flaw allows an attacker to use a cross-site request forgery flaw in the modem to cut users off from the Internet using a specially crafted link (Longenecker has crafted just such a test link at his site, though use it at your peril). According to Longenecker, the flaw is so simple it doesn’t require that a password be entered, and users can be tricked by embedding the link into image URLs.

“Certain SURFboard modems have an unauthenticated cross site request forgery flaw,” notes Longenecker. “The modems have a static IP address that is not consumer-changeable, and the web UI does not require authentication – no username or password is required to access the administration web interface.”

Longenecker notes that a similar approach can be used to reset your modem to its factory settings, causing a service outage while the modem negotiates with the cable network. In some instances, the researcher states that users might need to contact their ISP to get the SB6141 reauthenticated.

As it stands, the flaw can’t be patched by users but must be updated by ISPs.

“We are in the process of working with our Service Provider customers to make this release available to subscribers,” Arris said of the flaw. “There is no risk of access to any user data and we are unaware of any exploits.”

“We take product performance very seriously,” the company added. “We work actively with security organizations and our service provider customers to quickly resolve any potential vulnerabilities to protect the subscribers who use our devices.”

Arris says only a “subset” of its 135 million SB6141 modems in production are vulnerable to this issue, though Longenecker has since updated his post to note that the same flaw impacted older models like the SURFboard 5100 and the 6121. As such, it remains entirely unclear just how many impacted modems we’re talking about, or just which ISPs are rushing to fix the vulnerability.